A computer-implemented method includes receiving a definition of a source guest memory area for utilization by a virtual machine on a source system, wherein the source system includes a source trusted firmware and a source hypervisor. The method restricts write access to the source guest memory area of the virtual machine. The method receives repeatedly a source guest memory page location, content for each of a plurality of source guest memory pages, and an integrity value for each of a plurality of source guest memory page locations. The method receives a global integrity value for integrity values associated with the plurality of source guest memory page locations, wherein a latest integrity values for each of the plurality of source guest memory page locations is utilized. Subsequent to verifying the global integrity value, the method initializes the virtual machine on the source hypervisor.
Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A method comprising: receiving, by one or more processors, a definition of a source guest memory area for utilization by a virtual machine on a source system, wherein the source system includes a source trusted firmware and a source hypervisor; restricting, by one or more processors, write access to the source guest memory area of the virtual machine; receiving, by one or more processors, repeatedly from the source hypervisor, a source guest memory page location, content for each of a plurality of source guest memory pages, and an integrity value for each of a plurality of source guest memory page locations; receiving, by one or more processors, a global integrity value for integrity values associated with the plurality of source guest memory page locations, wherein a latest integrity value for each of the plurality of source guest memory page locations is utilized; and subsequent to verifying the global integrity value received from the source hypervisor matches the integrity values, initializing, by one or more processors, the virtual machine on the source hypervisor.
A method for securing virtual machines involves defining a memory area for a VM on a system with trusted firmware and a hypervisor. Write access to this memory area is restricted. The system repeatedly receives the location of memory pages, their content, and an integrity value for each page from the hypervisor. A global integrity value, calculated using the latest integrity value of each page, is also received. The VM is initialized only after verifying that the received global integrity value matches the calculated integrity values.
2. The method of claim 1 , further comprising: managing, by one or more processors, a configuration of the virtual machine on the source system, wherein the source system includes a private key accessible by the source trusted firmware; and verifying, by one or more processors, the integrity values for the virtual machine, received with the definition of the source guest memory area, according to a secret guest key associated with the virtual machine accessible only by the source trusted firmware.
In addition to the method described for securing virtual machines using integrity checks (Claim 1), this enhancement manages the VM's configuration on the source system. The source system has a private key accessible only by the trusted firmware. The integrity values of the VM, received with the memory area definition, are verified using a secret key associated with the VM, also accessible only by the source trusted firmware. This ensures only authorized VMs with correct configurations are initialized.
3. The method of claim 2 , wherein another plurality of source guest memory pages not received by the source trusted firmware are non-content filled pages.
Building on the secure VM method (Claim 2) involving integrity checks and secret keys, some memory pages of the VM are marked as "non-content filled." This means these pages are not received initially by the trusted firmware, indicating they are either dynamically allocated or contain data that isn't critical for initial integrity verification, providing flexibility in memory management.
4. The method of claim 2 , wherein the integrity value for each of the plurality of source guest memory page locations is at least one of a message authentication code or a cryptographic signature.
Enhancing the VM security (Claim 2) using integrity checks and secret keys, the integrity value used for each memory page is specified as either a message authentication code (MAC) or a cryptographic signature. These techniques provide strong assurances that the memory page content hasn't been tampered with during transmission or storage, ensuring confidentiality and integrity.
5. The method of claim 2 , wherein the source trusted firmware allows the virtual machine to determine whether the source trusted firmware is in possession of a secret key associated with the virtual machine.
In the context of secure VMs (Claim 2) managed by trusted firmware with integrity checks, the VM itself can determine if the trusted firmware holds a secret key associated with it. This allows the VM to adapt its behavior based on whether it's running in a fully trusted environment or a less secure one, promoting secure operation.
6. The method of claim 2 , further comprising: removing, by one or more processors, access rights to a first source guest memory page from the virtual machine; computing, by one or more processors, a first integrity value for the first source guest memory page; and subsequent to storing the first integrity value in memory accessible to the source trusted firmware, granting, by one or more processors, write access to the first source guest memory page to the source hypervisor, wherein the first source guest memory page is an evicted guest memory page.
Expanding on the secure VM environment (Claim 2), the system can revoke the VM's access to a memory page (making it an "evicted" page). It calculates an integrity value for this page and stores it in memory accessible to the trusted firmware. Then, it grants write access to the hypervisor, allowing the hypervisor to manage the page while preserving its integrity through the stored value.
7. The method of claim 6 , further comprising: restricting, by one or more processors, write access to the evicted guest memory page; verifying, by one or more processors, the first integrity value stored for a location of the evicted guest memory page matches content of the evicted guest memory page; and subsequent to determining the verification fails, restoring, by one or more processors, write access to the evicted guest memory page.
Building on the evicted page mechanism (Claim 6), write access to an evicted memory page is restricted. The system verifies if the stored integrity value for the page matches its current content. If verification fails, write access to the page is restored, potentially indicating a compromise or corruption, enabling rollback to a known state.
8. The method of claim 6 , further comprising: restricting, by one or more processors, write access to the evicted guest memory page; verifying, by one or more processors, the first integrity value stored for the location of the evicted guest memory page matches content of the evicted guest memory page; and subsequent to determining that the verification succeeds, granting, by one or more processors, write access to the evicted page by the virtual machine.
Building on the evicted page mechanism (Claim 6), write access to an evicted memory page is restricted. The system verifies if the stored integrity value for the page matches its current content. If verification succeeds, the VM is granted write access to the page again, indicating safe return to service and preventing unauthorized modification.
9. The method of claim 6 , wherein the source hypervisor is obtaining the first integrity value of the evicted guest memory page.
In the evicted guest memory page scheme (Claim 6) involving integrity value calculation, the hypervisor retrieves the integrity value of the evicted page. This provides the hypervisor with a means to independently verify the page's integrity before re-assigning it, enhancing security in resource management.
10. The method of claim 6 , further comprising: computing, by one or more processors, the global integrity value of the integrity values for the plurality of source guest memory pages, wherein the plurality of source guest memory pages include submitted, evicted, or content filled pages; terminating, by one or more processors, the virtual machine; and granting, by one or more processors, the source hypervisor access to the global integrity value.
Further enhancing secure VM management with eviction (Claim 6), a global integrity value is computed from all page integrity values (including submitted, evicted, and content-filled pages). The VM is terminated, and the hypervisor is given access to this global integrity value. This allows complete state verification before or during VM migration or shutdown.
11. The method of claim 10 , further comprising: sending, by one or more processors, the secret guest key to verify the integrity values encrypted by a public key of a target trusted firmware of a target system; continuously evicting, by one or more processors, the plurality of source guest memory pages from the virtual machine; requesting, by one or more processors, integrity values for a plurality of evicted guest memory pages; continuously sending, by one or more processors, content of the plurality of evicted guest memory pages, locations of the plurality of evicted guest memory pages, and integrity values for the plurality of evicted guest memory pages to a target hypervisor on the target system; subsequent to the target hypervisor continuously submitting the plurality of evicted guest memory pages, locations, and integrity values to the target trusted firmware of the target system, terminating, by one or more processors, the virtual machine on the source hypervisor; and sending, by one or more processors, the global integrity value of the terminated virtual machine to the target hypervisor, wherein the target hypervisor submits the global integrity value to the target trusted firmware of the target system.
For VM migration, (Claim 10) a secret key is sent to verify integrity on the target system. Memory pages are continuously evicted, and integrity values are requested. The content, location, and integrity of these evicted pages are sent to the target hypervisor. After the target hypervisor submits these values to the target trusted firmware, the VM on the source is terminated, and the global integrity value is sent to the target hypervisor, which submits it to the target firmware for integrity validation.
12. The method of claim 11 , further comprising: subsequent to sending content, locations, and integrity values of the plurality of evicted guest memory pages, sending, by one or more processors, a new location, new content, and associated integrity value for at least one of the source guest memory pages to the target hypervisor; and sending, by one or more processors, the global integrity value for integrity values associated with the plurality of source guest memory page locations to the target hypervisor that submits the global integrity value to the target trusted firmware of the target system, wherein a latest integrity value for each of the plurality of source guest memory page locations of the terminated virtual machine is utilized.
Building on the VM migration (Claim 11), after sending evicted pages, the system sends new location, content, and integrity value for at least one of the source guest memory pages to the target hypervisor. The global integrity value, using the latest integrity values of all pages, is also sent to the target hypervisor and submitted to the target firmware, ensuring a consistent state transfer.
13. The method of claim 12 , further comprising: receiving, by one or more processors, from the virtual machine on the source hypervisor, the public key corresponding to a private system key of the target system running a target hypervisor, wherein the public key is signed by the virtual machine.
To facilitate secure VM migration (Claim 12), the source VM receives a public key from the target system's trusted firmware, where the target system runs the target hypervisor. The public key is signed by the source VM. This ensures the target system is authorized to receive the VM's state and perform the migration.
14. The method of claim 12 , wherein terminating the virtual machine on the source hypervisor comprises suspending, by one or more processors, the virtual machine utilizing the integrity value of a virtual machine wrapped by the public key of the target system where the virtual machine is resumed.
In the context of migrating the VM (Claim 12), the VM is terminated (suspended) using an integrity value wrapped by the public key of the target system where the VM will be resumed. This binds the VM's state to the target environment, ensuring that it can only be resumed on a system with the corresponding private key, adding another layer of security during migration.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
October 22, 2015
August 1, 2017
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.